Trojan.VB.VZO

Anybody know anything about Trojan.VB.VZO? Couldn't get anything useful from Bing or Google other than a couple of "i seen it"s. It's suddenly now being flagged in an installation Zip archive for Next Up!'s Natural Voices' Audrey (yes, my car's MP3 player is a gorgeous British Lass, so sue me!). Thing is, Ive installed this from Winzip several times over many years. Only now I got a hit on a scan.

What is the potential damage? I guess I'm about to reload everything over again (except this!) .

On the case with no solution yet. But I did find this one and thought it was "cute".

Trojan.VB.Zu blocks access to pornographic web pages based on the sites keywords. Upon visiting one of these sites, Internet Explorer is minimized and a message from the Koran is displayed.

And, duh. If your scanner got a hit, your AV provider has a definition at their site.

hopefully a false positive as it comes from a commercial software company?

have you tried submitting zip file to any online scanners?

(sorry if i'm stating the obvious...)

Antman said:

And, duh. If your scanner got a hit, your AV provider has a definition at their site.

And zero info other than "it's a trojan!" Gee, thanks! I did Bing & Google - got a hit for Trojan condoms!

Oh no! My porno life is ruined! OK, let me test that one out, see if it's a pseudonym.

Typically, while I understand the backdoor paradigm, how do they normally get activated and used? Is it mostly annoyanceware? I haven't had any unusual behavior, other than some BSODs attributable to shifting OC parameters in the hardware.

The firewall hasn't reported anything like "Trojan.VB.VZO is asking to trash your C: drive [DENY] [ALLOW]".

I always set my FW to no auto rules and no auto training. I get prompted 1st time for everything and it creates the rule based on my response.

I started to upload but it's a 654MB Zip archive, and I have 800Kbs upstream - would take forever ... I'm waiting to get a little more info if possible.

DJG said:

I did Bing & Google...

I would not do that without a Trojan.

DJG said:

But I DO have one! HE-LLOOO! Read the title!

You are free to Bing & Google your brains out.

But I DO have one! HE-LLOOO! Read the title!

OK, I just rebooted from my 7232 install, which hasn't been up in a few days. Also I have an earlier beta of OSS. I immediately scanned the file and - no hit. So it's either new heuristics in the released version, or new def. I run the update cycle & re-scan- Bingo! Trojan hit.

I'm scratching my head. If it's a new ware, what's it doing in an old file? Maybe injected recently? It's a huge zip file, so probably tempting place to hide crappola in. I suppose they can do it without altering size & dates. The file is originally from 2005. I extracted from an image backup from 6/22 and it's there too.

Or maybe it's a false positive? I have installed this thing many times, several in the past three months . If it is indeed infected, wonder what it's doing? I hope they get really bored, fall asleep on the keyboard, hit the DEL key and delete their main data bank ...

OMG! Antman used a wormhole post!

DJG said:

...OMG! Antman used a wormhole post!

I can find ref's to Trojan.Downloader.VB.VZO, circa 2005-2006. No good def's though.

At a minimum, write protect your compressed files. I find it odd that someting would inject a payload into a single archive. Transient malware. Hit one file and leave before detection, with the payload undetected? That is one clever worm.

Speaking of clever worms, I have a court date at 10 a.m.

Well, I'm on a new fairly bare clean install. I think it may be a false positive. When I have time I'll ship it upstream to Agnitum and let them check it out. Now I'm re-installing and putting things back in order, again, minus the one. Sigh ...

OTOH, that install was an upgrade, so I don't feel as bad .

Thanks for the scouting. Have a fine day in court ...